WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#19723 closed defect (bug) (wontfix)

Setting only SSL_Login does not force SSL Login

Reported by: ccolotti Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.3
Component: Security Keywords: has-patch
Focuses: Cc:

Description

I have notcied on 3.3 multi-site if Force_SSL_Login only is set it is actually not redirected to SSL. Only when BOTH force SSL_admin and SSL_Login are set do you get the SSL login page. I am running the default multi-site .htacess as specified by the multisite setup. I am not sure if that needs to be modified, but it never had to be changed before 3.3

Attachments (1)

19723.patch (1.2 KB) - added by kurtpayne 2 years ago.

Download all attachments as: .zip

Change History (5)

kurtpayne2 years ago

comment:1 kurtpayne2 years ago

  • Cc kpayne@… added
  • Component changed from General to Security
  • Keywords has-patch added

I can reproduce this in multisite and single site on 3.3.1. Patch 19723.patch forces an SSL login if the FORCE_SSL_LOGIN constant is set in wp-config.php regardless of FORCE_SSL_ADMIN.

One note: If FORCE_SSL_ADMIN is true, the URL returned from wp_login_url() (e.g. the "Log in" link in the sidebar in twentyeleven) will always be SSL, regardless of my patch. This seems like a minor impact, but it should be noted that front-end users will login over SSL even when FORCE_SSL_LOGIN is not set.

comment:2 follow-up: nacin2 years ago

FORCE_SSL_LOGIN only forces that the credentials get sent over HTTPS, not the accessing of wp-login.php itself. If you want everything to be SSL you should set FORCE_SSL_ADMIN.

comment:3 in reply to: ↑ 2 ccolotti2 years ago

Replying to nacin:

FORCE_SSL_LOGIN only forces that the credentials get sent over HTTPS, not the accessing of wp-login.php itself. If you want everything to be SSL you should set FORCE_SSL_ADMIN.

That makes sense. One would think that switch would at least just make the login page also SSL so you know you are secure. I know it is SENT over SSL when you submit.

comment:4 ryan2 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

This is done as part of the support for allowing logins over https or http. Visiting wp-login.php via https results in SSL-only cookies and redirection to the https admin. Visiting wp-login.php via http results in non-SSL cookies and redirection to the http admin. Currently, those who want wp-login.php to always be delivered over SLL must FORCE_SSL_ADMIN or use a plugin.

Last edited 2 years ago by ryan (previous) (diff)
Note: See TracTickets for help on using tickets.